Bad idea: build a captcha library that embeds DOSBox so it can make you beat levels/puzzles from DOS games to continue.
-
hah! it works!
it turns out they installed this pre-win95 graphics library into System32 of my 64bit windows system (well, sysWOW64)
-
okay I'm running in a debugger now, with breakpoints on LoadLibrary/GetProcAddress.
There's no activity while doing stuff that'll trigger the .DAT files (which are DLLs) to load.
-
I wonder if these fuckers just skipped using the windows DLL loader and wrote their own so they could use them on win32?
-
@foone woag i am so here for this
i’ve also been reverse engineering gizmos & gadgets (<https://github.com/delan/reverssg>), so i’m very keen to read about what you find. good luck!
-
oh goody, they're not using the regular CreateFile
they're using _lopen. The 16-bit windows compatibility one!
-
@delan oh, awesome! I'll have to look through what you've found so far.
-
and CreateFile.
they use both. fun! -
see the cool thing about reversing 32bit or 64bit code is that it's not segmented, so when you look in your debugger and it says it's running a function at 0x004013cc, you can go over to ghidra and type in "0x004013cc" and it'll show you that same function!
-
this may seem "boring" and "mundane" and "how debuggers always work?" but just imagine you have lost that simple ability to compare code between the two programs?
that is the horror of 16bit segmented code
-
I've been doing too much GBA reverse engineering. I saw a 32bit pointer starting with 0x02 and tried to remember if that was on-cartridge RAM.
this is a /windows/ program. on windows 10.
THERE ARE NO CARTRIDGES!
-
now let me copy this program onto this SD card in my laptop's built-in SD card reader
-
Jason Parker (he/they)replied to Foone🏳️⚧️ last edited by
@foone but what if there were cartridges?
-
Foone🏳️⚧️replied to Jason Parker (he/they) last edited by
@north this thought experiment gave us the IBM PCjr, which was a massive flop.
-
@foone couldn't have written a little script to write that for them? or do you think they actually copy pasted that out by hand?
-
@Canageek probably a macro in their compiler. little scripts are rarer then, but possibly?
-
yeah this is some windows 3.x-ass code. They definitely recompiled it as 32bit and did all the changes that required, but the general feel of the code is that it's 3.x code, with how it handles most things.
-
WHAT IN THE BORLAND TURBO C PLUS PLUS IS GOING ON HERE?
-
Ghidra is better at reversing MSVC-style arguments than Borland-style. Makes sense. Probably not a lot of Evil Malware written in Borland Turbo C++ these days
-
What happened: I'm looking at a function that's clearly a strcmp of some kind. It seems to compare against a length, so... strncmp? looks like it, except it takes FOUR ARGUMENTS?! what could this be?
I look at several variants of strncmp to see if there's a 4-argument version, then give up and look back at ghidra's decompilation: it never uses argument 1.
-
there's some nonsense going on here with pascal calling convention but I think I'm too tired already to figure out the exact details well enough to explain it.
